VPN is disabled when waking from sleep after having enabled a VPN with Network Manager and then put the system to sleep/standby. Is this expected? Seems like a great way to leak your IP.
Yes, it is expected. When the system sleeps, nothing is maintaining your connection to the VPN server which will cause the connection to time out. (All processes, including NetworkManager sleep).
VPNs are useful to prevent the IP being associated with activity. They are not meant to simply hide IP. If someone is really watching, they know that a VPN is being used by the IP. They just dont know what the user does after connecting to the VPN.
Network Manager reconnects upon waking from sleep. Why doesn’t the VPN too?
Which is then made pointless when activity automatically resumes without the VPN…
Not a clue. Please file a bug for this feature. If you can help them with it, that’ll be even better:
You should be able to configure your connection to automatically connect a VPN when it is activated.
- Open the NetworkManager configuration, select and edit your main connection
- under General check Automatically connect to VPN and select the VPN you want to connect to.
This might be a workable solution, although I’d still prefer resuming the previous state.
Unfortunately, Network Manager fails to automatically connect to wifi and VPN on startup or waking from sleep when Automatically connect to VPN is selected.
Failed to request VPN secrets #3: No agents were available for this request.
If the wifi network is selected manually, it then connects to both wifi and VPN successfully.
Sure, but I don’t know if this can be done since it’s not just upto the NetworkManager client to resume a connection. The VPN server will probably not keep idle connections open for too long to begin with—that isn’t quite scalable. The network connectivity must also be resumed before the VPN connection can be, and I’m not entirely sure if that can be done either. The access point/router/whatever one connects to does not remain in the same state while ones machine sleeps, and nor do they remember each connection that’s gone inactive and what its state was.
If one has moved and connects to a different router etc, for example, the connection state will change, so will the IP. I dont think the VPN server would not resume a connection with that client in this scenario either
Could you please investigate and file bugs (RFEs) if these bits are implementable? Maybe worth speaking to the NetworkManager community anyway—all this may already be possible but not clearly exposed in the GUI?
@fasulia, I believe that if you really want to allow outgoing traffic only though VPN connection to avoid possible leakage when VPN disconnects/reconnects etc – there are ways to do it. I can’t give you detailed instructions, just some pointers/possibilities to consider.
You can configure your firewall to allow outgoing traffic only through VPN interface. There are numerous post/questions/discussions in the Internet about this, I believe it’s possible, should not be very hard, and can be an interesting project. Keep in mind it’s easy to cut yourself out completely from outside world (and even your home network and router) playing with this.
As for automatic reconnection (to Wi-Fi and even to VPN) – if you can’t make NM do this automatically with GUI you can try to write your own script with nmcli (Network Manager command line interface) calls, something like this: connect to Wi-Fi, wait for a bit, verify you’re connected, connect to VPN, verify you have an active VPN connection. Test it manually, and if it works good enough – then you tell systemd to launch it every time your system wakes up.
Again, that’s just an idea, but it should be not that hard to do.
@fasulia, I just tested the VPN reconnect after resuming from sleep/suspend and it did work without a problem. When resuming there is no connection anymore and the WiFi connection gets activated, after that VPN connection is activated, I get a password prompt for my VPN key and then connects.
Concerning the message
Failed to request VPN secrets #3: No agents were available for this request.
it seems there are issues with gnome-shell. Since I run a XFCE desktop it might be that the problem does not occur for me. You also might want to show which Fedora version you are using and which VPN implementation ( openvpn, openconnect, … ? )
You also might want to try the workaround from this link:
Another thing to try is to enable
vpn.persistent in NetworkManager.
nmcli connection modify <vpn-connection-name> vpn.persistent yes
The solution is literally two clicks:
- Click the icon next to the password field (which I did not even realize was a button with hidden options)
- Select “Store the password for all users”
Hints came from here.
Thanks to all for the tips, especially @thomaswood for testing.
This still requires using “Automatically connect to VPN” for a given network connection, which makes sense at least for public wifi hotspots but not for all connections.
It would still be nice to have continuity with a VPN reconnecting automatically if it was enabled before the system went to sleep.
Maybe nmcli scripts are one solution as @nightromantic mentioned, though I hope NetworkManager has this option and I’m just unaware. I’d rather not have to mess with firewall settings.
To clarify: this does not resume the VPN session after waking from sleep. It re-estabilishes the VPN connection after the other interface (wired or wireless) has come up, right?
What do you mean? What’s the difference?
Yes it re-establishes the VPN connection. The IP might not be the same as before, but that doesn’t matter to me as long as the connection is still through the VPN.
That’s the difference: re-establishing a conneciton on wake is not the same as resuming an existing one. You’d said you’d prefer resuming the previous state earlier, so I wanted to clarify what solution we had reached here:
Good that you found a solution that works for you.
Ah, sorry for the confusion. By previous state, I was referring to the on/off states of VPN, Wifi, etc.
This “solution” allows a connection with “Automatically connect to VPN” checked to re-establish VPN connection upon waking from sleep.
A complete solution would be to resume the previous state (VPN on or off) regardless of whether that option is checked. That remains elusive.
I don’t have a “main” connection. The use case is short sleep and wake up with/without cabled ethernet, or changing from one wifi connection to another one. So the underlying connection will change sometimes. The VPN is openvpn/UDP and supports it. If I run
sudo openvpn /etc/openvpn/connection.conf it works perfectly, in fact. But Network Manager does the wrong thing.Is there a way to override this behavior?
WireGuard works great in this case as its tunnel is persistent by default.
So it requires no extra configuration and doesn’t go down on suspend.
My company uses openvpn with UDP, which also supports persistency and, as I said, the connection does not get disabled when I use openvpn from console, recovering when I suspend the laptop in a café and go home (it cuts the connection at a 10m timeout, and of course some TCP services will not stand up so much as 10 minutes). The problem discussed in the topic is fedora/network-manager killing connections on suspend/standby on spite of having set
vpn.persistent=true and the underlying supporting persistent connections.
My company uses 2FA, so I need to lookup the token and type it. No solution that is not “persist as much as it makes sense” works for me. And loosing the VPN just because my hardware forces me to suspend for docking/undocking means a lot of actions (ask to connect, type the PIN, take the cellular out, lookup the token…). Running openvpn without NetworkManager works and it is a reasonable workaround, missing mostly the icon in upper bar as inconvenience
This is likely not a Fedora-specific issue, so you’d best report it upstream:
Diagnosed, fixed locally and a merge request sent upstream for openvpn. Use the patched version of NetworkManager-openvpn AND set
vpn.persistent=true in the connection needed)